This vulnerability creates a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether, said Israeli security researcher, Danor Cohen.

From an attacker’s standpoint, they can effectively compress a Trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target ends of compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers found it can end up exploited on all versions of WinRAR, including version 5.1.

The exploit is possible because WinRAR will compress a file and create new properties, including an extra ‘file name’ input. By altering one of the ‘file name’ inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler found starting March 24 attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” targeting aerospace companies, military subcontractors, embassies, and firms on the Fortune Global 500 list.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘FAX.zip’ – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

Researchers analyzed the attachment and determined it was a Zeus-like Trojan capable of establishing remote administration channels with the infected victim, and gathering passwords and saved forms, according to the research.